# Copyright 2015 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. require 'date' require 'google/apis/core/base_service' require 'google/apis/core/json_representation' require 'google/apis/core/hashable' require 'google/apis/errors' module Google module Apis module StsV1beta # Request message for ExchangeToken. class GoogleIdentityStsV1betaExchangeTokenRequest include Google::Apis::Core::Hashable # The full resource name of the identity provider; for example: `https://iam. # googleapis.com/projects/`PROJECT_ID`/workloadIdentityPools/`POOL_ID`/providers/ # `PROVIDER_ID``. Required when exchanging an external credential for a Google # access token. # Corresponds to the JSON property `audience` # @return [String] attr_accessor :audience # Required. The grant type. Must be `urn:ietf:params:oauth:grant-type:token- # exchange`, which indicates a token exchange is requested. # Corresponds to the JSON property `grantType` # @return [String] attr_accessor :grant_type # A set of features that Security Token Service supports, in addition to the # standard OAuth 2.0 token exchange, formatted as a serialized JSON object of # Options. # Corresponds to the JSON property `options` # @return [String] attr_accessor :options # Required. An identifier for the type of requested security token. Must be `urn: # ietf:params:oauth:token-type:access_token`. # Corresponds to the JSON property `requestedTokenType` # @return [String] attr_accessor :requested_token_type # The OAuth 2.0 scopes to include on the resulting access token, formatted as a # list of space-delimited, case-sensitive strings. Required when exchanging an # external credential for a Google access token. # Corresponds to the JSON property `scope` # @return [String] attr_accessor :scope # Required. The input token. This is a either an external credential issued by a # WorkloadIdentityPoolProvider, or a short-lived access token issued by Google. # If the token is an OIDC JWT, it must use the JWT format defined in [RFC 7523]( # https://tools.ietf.org/html/rfc7523), and `subject_token_type` must be `urn: # ietf:params:oauth:token-type:jwt`. The following headers are required: - **` # kid`**: The identifier of the signing key securing the JWT. - **`alg`**: The # cryptographic algorithm securing the JWT. Must be `RS256`. The following # payload fields are required. For more information, see [RFC 7523, Section 3]( # https://tools.ietf.org/html/rfc7523#section-3). - **`iss`**: The issuer of the # token. The issuer must provide a discovery document at `/.well-known/openid- # configuration`, formatted according to section 4.2 of the [OIDC 1.0 Discovery # specification](https://openid.net/specs/openid-connect-discovery-1_0.html# # ProviderConfigurationResponse). - **`iat`**: The issue time, in seconds, since # epoch. Must be in the past. - **`exp`**: The expiration time, in seconds, # since epoch. Must be fewer than 48 hours after `iat`. Shorter expiration times # are more. secure. If possible, we recommend setting an expiration time fewer # than 6 hours. - **`sub`**: The identity asserted in the JWT. - **`aud`**: # Configured by the mapper policy. The default value is the service account's # unique ID. Example header: ``` ` "alg": "RS256", "kid": "us-east-11" ` ``` # Example payload: ``` ` "iss": "https://accounts.google.com", "iat": 1517963104, # "exp": 1517966704, "aud": "113475438248934895348", "sub": " # 113475438248934895348", "my_claims": ` "additional_claim": "value" ` ` ``` If ` # subject_token` is an AWS token, it must be a serialized, [signed](https://docs. # aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) request to the # AWS [`GetCallerIdentity()`](https://docs.aws.amazon.com/STS/latest/ # APIReference/API_GetCallerIdentity) method. Format the request as URL-encoded # JSON, and set the `subject_token_type` parameter to `urn:ietf:params:aws:token- # type:aws4_request`. The following parameters are required: - **`url`**: The # URL of the AWS STS endpoint for `GetCallerIdentity()`, such as `https://sts. # amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15`. Regional endpoints # are also supported. - **`method`:** The HTTP request method: `POST`. - **` # headers`**: The HTTP request headers, which must include: - **`Authorization`** # : The request signature. - **`x-amz-date`**`: The time you will send the # request, formatted as an [ISO8601 Basic](https://docs.aws.amazon.com/general/ # latest/gr/sigv4_elements.html#sigv4_elements_date) string. This is typically # set to the current time, and used to prevent replay attacks. - **`host`**: The # hostname of the `url` field; for example, `sts.amazonaws.com`. - **`x-goog- # cloud-target-resource`**: The full, canonical resource name of the # WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: `` # ` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ # https://iam.googleapis.com/projects//locations//workloadIdentityPools// # providers/ ``` Signing this header as part of the signature is recommended to # ensure data integrity. If you are using temporary security credentials # provided by AWS, you must also include the header `x-amz-security-token`, with # the value `[SESSION_TOKEN]`. The following is an example of a signed, # serialized request: ``` ` "headers":[ `"key": "x-amz-date", "value": " # 20200815T015049Z"`, `"key": "Authorization", "value": "AWS4-HMAC-SHA256+ # Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target- # resource,+Signature=$signature"`, `"key": "x-goog-cloud-target-resource", " # value": "//iam.googleapis.com/projects//locations//workloadIdentityPools// # providers/"`, `"key": "host", "value": "sts.amazonaws.com"` . ], "method":" # POST", "url":"https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011- # 06-15" ` ``` You can also use a Google-issued OAuth 2.0 access token with this # field to obtain an access token with new security attributes applied, such as # an AccessBoundary. In this case, set `subject_token_type` to `urn:ietf:params: # oauth:token-type:access_token`. Applying additional security attributes on # access tokens that already contain security attributes is not allowed. # Corresponds to the JSON property `subjectToken` # @return [String] attr_accessor :subject_token # Required. An identifier that indicates the type of the security token in the ` # subject_token` parameter. Supported values are `urn:ietf:params:oauth:token- # type:jwt`, `urn:ietf:params:aws:token-type:aws4_request` and `urn:ietf:params: # oauth:token-type:access_token`. # Corresponds to the JSON property `subjectTokenType` # @return [String] attr_accessor :subject_token_type def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @audience = args[:audience] if args.key?(:audience) @grant_type = args[:grant_type] if args.key?(:grant_type) @options = args[:options] if args.key?(:options) @requested_token_type = args[:requested_token_type] if args.key?(:requested_token_type) @scope = args[:scope] if args.key?(:scope) @subject_token = args[:subject_token] if args.key?(:subject_token) @subject_token_type = args[:subject_token_type] if args.key?(:subject_token_type) end end # Response message for ExchangeToken. class GoogleIdentityStsV1betaExchangeTokenResponse include Google::Apis::Core::Hashable # An OAuth 2.0 security token, issued by Google, in response to the token # exchange request. # Corresponds to the JSON property `access_token` # @return [String] attr_accessor :access_token # The expiration time of `access_token`, in seconds, from the time of issuance. # This field is absent when the `subject_token` in the request is a Google- # issued, short-lived access token. In this case, the expiration time of the ` # access_token` is the same as the `subject_token`. # Corresponds to the JSON property `expires_in` # @return [Fixnum] attr_accessor :expires_in # The token type. Always matches the value of `requested_token_type` from the # request. # Corresponds to the JSON property `issued_token_type` # @return [String] attr_accessor :issued_token_type # The type of `access_token`. Always has the value `Bearer`. # Corresponds to the JSON property `token_type` # @return [String] attr_accessor :token_type def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @access_token = args[:access_token] if args.key?(:access_token) @expires_in = args[:expires_in] if args.key?(:expires_in) @issued_token_type = args[:issued_token_type] if args.key?(:issued_token_type) @token_type = args[:token_type] if args.key?(:token_type) end end end end end